IETF Logo Mail Archive

Re: [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)

"Saxe, Dean" <deansaxe@amazon.com> Tue, 12 December 2023 17:34 UTC

Return-Path: <prvs=7035a3aed=deansaxe@amazon.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A571EC14F75F for <scim@ietfa.amsl.com>; Tue, 12 Dec 2023 09:34:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izdKn6Zo2fIF for <scim@ietfa.amsl.com>; Tue, 12 Dec 2023 09:34:43 -0800 (PST)
Received: from smtp-fw-9105.amazon.com (smtp-fw-9105.amazon.com [207.171.188.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F701C14F747 for <scim@ietf.org>; Tue, 12 Dec 2023 09:34:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1702402484; x=1733938484; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=ap6Mvq1ruf2GbwPHkSLCaqziwYpZidQr4jbL26c1Qw8=; b=UCMq4O0ngDUa+72O5LFCa9/xsLsAct7Mg6ZJOfKPlCoB5XI1GOLQRkMO gdzxxGK2mERg3Ib9DvB/aFCVqWd2XoMJoXZCL1QWGfW/CmRV2d7V9UBEi 2c0+v9jnknXLUVMjM8XaVq0jLppsXv0g4pCiyqRbidir7kZKQBbgj13eJ s=;
X-Amazon-filename: image001.png, image002.png
X-IronPort-AV: E=Sophos;i="6.04,270,1695686400"; d="png'150?scan'150,208,217,150";a="690620821"
Thread-Topic: [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1a-m6i4x-617e30c2.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-9105.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Dec 2023 17:34:42 +0000
Received: from smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev (iad7-ws-svc-p70-lb3-vlan2.iad.amazon.com [10.32.235.34]) by email-inbound-relay-iad-1a-m6i4x-617e30c2.us-east-1.amazon.com (Postfix) with ESMTPS id 0C35F68352; Tue, 12 Dec 2023 17:34:39 +0000 (UTC)
Received: from EX19MTAUWC002.ant.amazon.com [10.0.7.35:5312] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.53.118:2525] with esmtp (Farcaster) id d153e239-7bb7-4490-bf56-2c33b94844e0; Tue, 12 Dec 2023 17:34:39 +0000 (UTC)
X-Farcaster-Flow-ID: d153e239-7bb7-4490-bf56-2c33b94844e0
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Tue, 12 Dec 2023 17:34:38 +0000
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19D003UWC004.ant.amazon.com (10.13.138.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.40; Tue, 12 Dec 2023 17:34:38 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1118.040; Tue, 12 Dec 2023 17:34:38 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: "Saxe, Dean" <deansaxe=40amazon.com@dmarc.ietf.org>, Phillip Hunt <phil.hunt@independentid.com>, SCIM WG <scim@ietf.org>
Thread-Index: AQHaK7etvKqy+ezgn0W/taAdWwTfKrCkO/UAgAEpdQA=
Date: Tue, 12 Dec 2023 17:34:38 +0000
Message-ID: <52C07894-4C89-4C02-A71F-68CD12DC3539@amazon.com>
References: <247545D1-8E0A-4969-A24C-6B3150C2D101@independentid.com> <DFD86562-1B0F-4EA0-A606-440B1D9806A1@amazon.com>
In-Reply-To: <DFD86562-1B0F-4EA0-A606-440B1D9806A1@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.79.23120117
x-originating-ip: [10.187.171.32]
Content-Type: multipart/related; boundary="_005_52C078944C894C02A71F68CD12DC3539amazoncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/GAGcOKBFjO5CvMHTtKc5GkPi1ps>
Subject: Re: [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 17:34:47 -0000

s/dradr/draft/

=)

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>

From: scim <scim-bounces@ietf.org> on behalf of "Saxe, Dean" <deansaxe=40amazon.com@dmarc.ietf.org>
Date: Monday, December 11, 2023 at 3:50 PM
To: Phillip Hunt <phil.hunt@independentid.com>, SCIM WG <scim@ietf.org>
Subject: RE: [EXTERNAL] [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


My reasoning is twofold:

First, SCIM is not a protocol for sending security events/signals/data, it’s a protocol for synchronization of resources (human and otherwise) between disparate systems.  Signaling, as described in the draft, is not a security function, it’s a mechanism to ensure that the systems are in sync.  Further, the dradr enables asynchronous processing of bulk updates to the server using SETs to convey the state of the async bulk updates.

Second, the RISC and CAEP protocols sufficiently cover this space and do so with more granularity than is offered in this specification.  CAEP has a well-defined set of credential change signals<https://openid.net/specs/openid-caep-specification-1_0.html#rfc.section.3.3>. RISC profiles signals regarding credential recovery activation<https://openid.net/specs/openid-risc-profile-specification-1_0.html#rfc.section.2.9> and changes to how credential recovery is configured<https://openid.net/specs/openid-risc-profile-specification-1_0.html#rfc.section.2.10>.

I feel that profiling these in the proposed standard would conflict with the work already occurring in the OpenID Foundation specifications which have reached Implementers Draft.

Thanks,
-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>

From: scim <scim-bounces@ietf.org> on behalf of Phillip Hunt <phil.hunt@independentid.com>
Date: Sunday, December 10, 2023 at 2:24 PM
To: SCIM WG <scim@ietf.org>
Subject: [EXTERNAL] [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Dean has requested that SCIM Signals be removed from the specification as they duplicate RISC specifications published by OpenID Foundation. WG input is requested:
References:
[cid:image001.png@01DA2CDE.6CDA7930]

Privacy considerations - Risk Signals Events · Issue #26 · ietf-scim-wg/draft-ietf-scim-events<https://github.com/ietf-scim-wg/draft-ietf-scim-events/issues/26>
github.com<https://github.com/ietf-scim-wg/draft-ietf-scim-events/issues/26>


[cid:image002.png@01DA2CDE.6CDA7930]

Removed authMethod/pwdReset from IANA registry by dhs-aws · Pull Request #28 · ietf-scim-wg/draft-ietf-scim-events<https://github.com/ietf-scim-wg/draft-ietf-scim-events/pull/28>
github.com<https://github.com/ietf-scim-wg/draft-ietf-scim-events/pull/28>




This request means removing section 2.5.  A copy of that section is posted below.

Reasons to have Section 2.5:

1.  A provisioning endpoint such as SCIM may be the originating source of the security signal.  The events expressed using SCIM Identifiers rather than OpenID’s much more complex system (which uses per feed configurable identifiers).
2.  Because of signing requirements, a SCIM Signal might get republished as part of a larger or different security signals system before distributing to a third party.  For example, the SCIM subject identifier is translated along with the event into a proper RISC event. This may be done, because the SCIM system doesn’t have the full OIDC context of the resource (e.g. because they may run off a different identity data store)
3. Authentication factor changes and password resets might trigger other provisioning workflows.
4. Changes to authentication attributes not typically propagated as provisioning events because the raw values are not and should not be made available.

I am neutral on this issue. I can see both sides of the concern.

Please reply with your comments and indicate:

YES - Please remove section 2.5 SCIM Signals Events

NO - Please leave section 2.5 as is (or with proposed changes)

Thanks,

Phil
phil.hunt@independentid.com

Section 2.5

2.5.  SCIM Signals Events

   This section defines security signal events that have occurred within
   a SCIM Service Provider.  The URI prefix for these events is:
   urn:ietf:params:SCIM:event:signal

2.5.1.  urn:ietf:params:SCIM:event:sig:authMethod

   A new authentication method has been added to the User profile.  As
   attackers often use new authentication methods to lock-out Users from
   their account, this signal can be used by the receiver that the
   chance of account them may be temporarily elevated.  The receiver MAY
   also wish to take action such as resetting current authorizations or
   sessions.

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "sub_id": {
       "format": "scim",
       "uri": "/Users/44f6142df96bd6ab61e7521d9"
     },
     "events":{
       "urn:ietf:params:SCIM:event:sig:authMethod": {}
     },
     "iat": 1458496025,
     "iss": "https://scim.example.com"
   }

         Figure 12: Example SCIM Authentication Factor Change Event

2.5.2.  urn:ietf:params:SCIM:event:sig:pwdReset

   The specified resource (e.g.  User) has changed its password or the
   password has been reset.  When the password has changed, the
   attributes attribute is supplied with the value "password".

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "sub_id": {
       "format": "scim",
       "uri": "/Users/44f6142df96bd6ab61e7521d9"
     },
     "events": {
       "urn:ietf:params:SCIM:event:sig:pwdReset": {}
     },
     "iat": 1458496025,
     "iss": "https://scim.example.com",
     "aud":[
       "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
       "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ]
   }

               Figure 13: Example SCIM Password Change Event

v2.23.0 | Report a Bug | By Email